edgelesssys · miampf · Jan 21, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/.github/workflows/check-measurements-reproducibility.yml b/.github/workflows/check-measurements-reproducibility.yml
@@ -0,0 +1,114 @@
+name: Check measurements reproducibility
+on:
+  workflow_dispatch:
+    inputs:
+      releasetag:
+        type: string
+        description: The release to checkout and download.
+        required: true
+  workflow_call:
+    inputs:
+      releasetag:
+        type: string
+        description: The release to checkout and download.
+        required: true
+
+jobs:
+  check-reproducibility:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.inputs.releasetag }}
+      - name: Set up bazel
+        uses: ./.github/actions/setup_bazel_nix
+        with:
+          useCache: "false"
+          nixTools: |
+            systemdUkify
+            jq
+            jd-diff-patch
+            moreutils
+      - name: Build images
+        id: build-images
+        run: |
+          set -euo pipefail
+
+          # Build required binaries
+          bazel build //image/system:stable
+          bazel build //image/measured-boot/cmd
+          echo "buildPath=$PWD/bazel-bin/image" | tee -a "$GITHUB_OUTPUT"
+          cd "$(mktemp -d)"
+
+      - name: Download measurements
+        run: |
+          curl -O https://cdn.confidential.cloud/constellation/v2/ref/-/stream/stable/${{ github.event.inputs.releasetag }}/image/measurements.json
+
+      - name: Cleanup release measurements and generate our own
+        run: |
+          set -euo pipefail
+          shopt -s extglob
+
+          for directory in ${{ steps.build-images.outputs.buildPath }}/system/!(mkosi_wrapper.sh); do
+            dirname="$(basename "$directory")"
+            csp="$(echo "$dirname" | cut -d_ -f1)"
+            attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+            echo "Comparing measurements of CSP $csp with attestation variant $attestationVariant"
+            # This jq filter selects the measurements for the correct CSP and attestation variant
+            # and then removes all `warnOnly: true` measurements.
+            jq --arg attestation_variant "$attestationVariant" --arg csp "$csp" \
+              '
+                .list.[]
+                | select(
+                  .attestationVariant == $attestation_variant
+                )
+                | select((.csp | ascii_downcase) == $csp)
+                | .measurements
+                | walk(
+                    if (
+                      type=="object" and .warnOnly
+                    )
+                    then del(.) else . end
+                  )
+                | del(..|nulls)
+                | del(.[] .warnOnly)
+              ' \
+              measurements.json > "$attestationVariant"_their-measurements.json
+
+            sudo env "PATH=$PATH" "${{ steps.build-images.outputs.buildPath }}/measured-boot/cmd/cmd_/cmd" "$directory/constellation" ./"$attestationVariant"_own-measurements.json
+            jq '.measurements' ./"$attestationVariant"_own-measurements.json | sponge ./"$attestationVariant"_own-measurements.json
+          done
+
+      - name: Compare measurements
+        run: |
+          # no -e since we need to collect errors later
+          set -uo pipefail
+          shopt -s extglob
+
+          declare -A errors
+
+          for directory in ${{ steps.build-images.outputs.buildPath }}/system/!(mkosi_wrapper.sh); do
+            dirname="$(basename "$directory")"
+            attestationVariant="$(echo "$dirname" | cut -d_ -f2)"
+
+            echo "Their measurements for $attestationVariant:"
+            ts "  " < "$attestationVariant"_their-measurements.json
+            echo "Own measurements for $attestationVariant:"
+            ts "  " < "$attestationVariant"_own-measurements.json
+
+            # TODO: cache errors and return them later.
+            if ! jd ./"$attestationVariant"_their-measurements.json ./"$attestationVariant"_own-measurements.json; then
+              errors["$attestationVariant"]="$(!!)"
+            fi
+          done
+
+          for attestationVariant in "${!errors[@]}"; do
+            echo "Failed to reproduce measurements for $attestationVariant:"
+            echo "${errors["$attestationVariant"]}" | ts "  "
+          done
+
+          if [[ "${#errors[@]}" -ne 0 ]]; then
+            exit 1
+          fi
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -239,6 +239,13 @@ jobs:
       stream: "stable"
       ref: ${{ needs.verify-inputs.outputs.WORKING_BRANCH }}
 
+  check-measurements-reproducibility:
+    name: Check measurements reproducibility
+    needs: [os-image]
+    uses: ./.github/workflows/check-measurements-reproducibility.yml
+    with:
+      releasetag: ${{ inputs.version }}
+
   update-hardcoded-measurements:
     name: Update hardcoded measurements (in the CLI)
     needs: [verify-inputs, os-image]